The URL can be used to link to this page

Home My WebLink About2022-09-02 ORDINANCE # aola -- © qua AN ORDINANCE ADOPTING THE CITY OF BATESVILLE EMPLOYEE HANDBOOK FOR THE CITY OF BATESVILLE; AND FOR OTHER PURPOSES WHEREAS, from time to time it is necessary to update and modify the City's Employee Handbook; and WHEREAS, it has been several years since the City's Employee Handbook has been updated; and WHEREAS, since the last amendment to the City's Employee Handbook, the City has added a information technology department which has policies to be included in the Handbook; and WHEREAS, the City Council finds and determines that the adoption of the said policy is in the best interest of the employees of the city of Batesville and its citizens. NOW THEREFORE, BE IT ORDAINED BY THE CITY COUNCIL FOR THE CITY OF BATESVILLE, ARKANSAS: Section 1. The updated City of Batesville Employee Handbook presented to the city council is hereby adopted. Section 2. All previous versions of the City of Batesville Employee Handbook are hereby nullified. EMERGENCY CLAUSE: The City of Batesville Employee Handbook affects the employees of the city departments, who in turn contribute to the safety and welfare of the residents of Batesville, Arkansas; therefore an emergency is hereby declared to exist and this Ordinance shall be in full force and effect from and after its passage. PASSED AND ADOPTED this /2-#--day of , 2022. APPROVED: ATTEST: RICK WMBAU 10,", ,) /)-) Q"L,& - DENISE M. JOHNSTONCCITY CLERK P. Information Technology Policy Producing,exchanging,and retrieving information electronically by taking advantage of computer technology present valuable opportunities for the City of Batesville. While employees are encouraged to use this technology, its use carries important responsibilities. Hardware(including but not limited to computers,computer systems, laptop computers,and electronic media equipment,printers, networking equipment,fax or facsimile machines, monitors,phone and VOIP equipment, etc.),software(including but not limited to computer accounts,voice mail,networks,electronic mail(E-mail), Internet and World Wide Web access connections,etc.)at the City of Batesville are provided for business related use by the city employees. It is the responsibility of the employees to see that these Information Technology and Internet of Things(IoT)systems are used in an efficient,ethical,and lawful manner. The use of information Technology systems is a privilege extended by the City of Batesville and may be withdrawn at any time. An employee's use of these systems may be suspended immediately upon the discovery of a possible violation of these policies. Information Technology Access Control Policy The City of Batesville maintains access control both physically and digitally for employees and users,including vendors,based on access level,duty requirement,job function,or responsibilities. This access control is audited regularly for employee and user changes to preserve and protect the integrity and security of the City of Batesville. Potential physical access control systems might include,but are not limited to,security gate or pin pad door locks including keypad entry systems. New employees will be set up with Human Resources and Payroll and subsequent access control accounts will be created through the Information Technology department. Once the user has left employment or has been terminated,the access control account will be disabled. Potential digital access control systems might include,but are not limited to any user account with password. Privileged or elevated access can only be provided by the Information Technology department and if only if the digital access control allows it. The Information Technology department can revoke this administrator access when privileged access is no longer necessary. Password sharing and reuse/overuse is a security risk and not recommended. Any password that does not meet complexity requirements is insecure. Any password that is reused or used on another account is insecure,no matter how complex it is. By reusing or sharing passwords,you allow others the ability to access your account(s) whether onsite or off. This also increases the chance for account compromise and vulnerability for a cyberattack. Ultimately,you may potentially lose control of or access to any and/or all accounts associated with that password. Information Technology Continuity Policy The purpose of the Information Technology Continuity Policy is to plan for continuation of the city's Information Technology in the event of a disruption or a disaster. This policy will be amended and expanded on as it is reviewed on an annual basis. For complete details on the current Information Technology Continuity Policy, please see the Information Technology department for an up-to-date document. Information Technology Cyber Security Policy The City of Batesville maintains that Cyber Security is one the city's top priorities to keep the City of Batesville and its employees safe and secure. The Information Technology department will do this by instituting policies, educating and testing employees, keeping software up-to-date,establishing standards for all departments to follow,and ensure a set of guidelines are in place. Information Technology Data Breach Policy The Information Technology Data Breach Policy requires that any individual who suspects that a breach or exposure of City of Batesville protected data information(PDI)or sensitive data information (SDI) has occurred must immediately contact your supervisor,Human Resources,and the Information Technology department. If any individual suspects that a theft has occurred, please see Information Technology Lost or Stolen Policy. This policy applies to anyone who may collect,access,maintain,distribute,process, protect,store, use,transmit, dispose of,or otherwise handle personally identifiable information(PII),financial, payment card industry(PCI),or similar. In the event that any possible breach or exposure has potentially occurred, please provide a description of what occurred with as much detail as possible. An investigation will begin-to identify the scope of the incident,which may include law enforcement. After discovery,containment,and remediation(including preserving evidence), notification will occur to all appropriate parties. Violations of this Information Technology Data Breach Policy shall be penalized and prosecuted up to the maximum amounts permissible under local,state,and federal law. Information Technology Disaster Recovery Policy The City of Batesville shall take a risk assessment in case a disaster should occur and recovery in the event one happens. The goal of the policy is to ensure information system uptime,data integrity and availability,and city business continuity. To see the full Disaster Recovery Plan, please contact Human Resources or the Information Technology department. Information Technology Email Policy The City of Batesville allows the use of electronic mail or email use for city purposes. Both have primary and secondary uses within and outside the City of Batesville. The purpose of the City's email system is to ensure a proper medium of digital communication between city employees and any recipient. This may include other employees,the public,vendors,or any agents operating on behalf of the City of Batesville. All use of email must be consistent with policies and procedures of ethical conduct,safety,compliance with applicable laws and proper business practices.A City of Batesville email account should be used primarily for city related purposes; personal communication is permitted on a limited basis, but non-city related commercial uses are prohibited. Email should be retained only if it qualifies as a city record. Email is a city record if there exists a legitimate and ongoing business reason to preserve the information contained in the email. The city email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race,gender,disabilities,age,sexual orientation, pornography,religious beliefs and practice, political beliefs,or national origin. Employees who receive any emails with this content from any employee should report the matter to Human Resources immediately. Users are prohibited from automatically forwarding email to a third-party email system. Individual messages which are forwarded by the user must not contain confidential or above information. Users are prohibited from using third-party email systems and storage servers such as Google,Yahoo,and MSN Hotmail etc.to conduct business,to create or memorialize any binding transactions,or to store or retain email on behalf of.Such communications and transactions should be conducted through proper channels using city- approved documentation. Using a reasonable amount of city resources for personal emails is acceptable,but non- work-related email shall be saved in a separate location from work-related email.Sending chain letters or joke emails from a city email account is prohibited.City employees shall have no expectation of privacy in anything they store,send,or receive on the city's email system.The City of Batesville may monitor messages without prior notice but is not obliged to monitor email messages. Any City of Batesville employee found to have violated this policy may be subject to disciplinary action,up to and including termination of employment. Information Technology Data Policy City of Batesville data falls under two categories: Sensitive and non-sensitive. Per the Employee Confidentiality and Compliance Policy,Confidential and/or proprietary information is secret, valuable,expensive,and/or easily replicated. Common examples of confidential and/or proprietary information are: • CJIS information • Unpublished financial information • Data of customers, partners,and/or vendors including bills,invoices,quotes,and/or receipts • Patents,formulas,or new technologies • Customer lists(existing and prospective) • Data entrusted to the City of Batesville by external parties • Pricing,quotes, marketing,and/or other undisclosed strategies • Documents and processes explicitly marked as confidential • Unpublished goals,forecasts,and/or initiatives marked as confidential Employees may have various levels of authorized access to confidential and/or proprietary information. Sensitive data is any data that could be expressed as confidential and/or proprietary information. Non-sensitive is any other data that can be made available publicly. Information Technology Encryption Policy: All devices at the City of Batesville that have a storage medium such as hard drive and have the ability to remove such storage medium shall be encrypted. The encryption will be based on levels and responsibility. A. Level 1:Any hard drive in any computer will have basic hard drive encryption. This will not require a password entry for the hard drive at boot but will require it to be encrypted if the hard drive is removed. B. Level 2: Laptops,tablets,and portable devices such as flash drives(containers within for sensitive data), and any computers that have CJIS, PCI compliant,or other sensitive information. If there is any question if a device is or should be encrypted, please consult with the Information Technology department. Information Technology Equipment Disposal Policy: All technology hardware equipment at the City of Batesville has a finite life span at after which it must be disposed of in a technologically and ecologically safe manner. Proper disposal of equipment is both environmentally responsible and often required by law. In addition, hard drives, USB drives,optical and other storage media contain various kinds of data,most of which is considered sensitive. In order to protect our city's data,all storage mediums must be properly erased before being disposal. These types of data must be destroyed either digitally or physically. If media is repurposed for on-prem use,the data on it must be digitally destroyed using a DoD 5022.22-M standard erase/wipe method of destruction at minimum. If physically destroying,media must be shredded in accordance to NIST 800-88 guidelines. All media containing sensitive data,when it is removed from service at end of its useful life span,must be destroyed physically before leaving the possession of the City of Batesville. If the technology hardware is fit to be reused,it can be refurbished for reuse. E-Waste disposal for the remainder must be taken to an approved E-Waste disposal or recycling center. If disposing of a computer or laptop,a City of Batesville Fixed Asset Transfer/Disposal Form needs to be filled out and submitted. Information Technology Equipment Usage Policy The City of Batesville Information Technology department allows under certain circumstances usage of equipment on limited time basis other than equipment that is assigned to them. These may include computers, laptops, printers,etc.for temporary work purposes and may involve travel outside normal circumstances. Acquisition of these items are on a first-come first-serve basis and require sign out. Special provisions can be made if the item needed isn't available if approved by the Information Technology department and higher authority. Items provided need to be work-related in usage and approved by the employee's department head and Information Technology department. Any items provided,including temporary usage items,that will leave the area of the City of Batesville(i.e., Independence County) must also be approved by the employee's department head and Information Technology department. Information Technology Internet Usage Policy The Information Technology Internet Usage Policy applies to all employees at the City of Batesville that use hardware and/or software to access the Internet. While access is provided to the employees for City of Batesville use,there are risks involved with the misuse of the hardware or software assets belonging to the City of Batesville which may cause the City of Batesville to face loss of reputation and possible legal action. All information found on the Internet should be considered suspect until confirmed by another reliable source. There is no quality control process on the Internet,and a considerable amount of its information is outdated or inaccurate. Access to the Internet will be provided to users to support city activities and only on an as-needed basis to perform their jobs and professional roles. The city employees are expected to be familiar with and to comply with this policy,and are also required to use their common sense and exercise their good judgment while using Internet services. Acquisition,storage,and dissemination of data which is illegal,pornographic,or which negatively depicts race,sex or creed is specifically prohibited. The city also prohibits the conduct of a business enterprise,political activity,engaging in any form of intelligence collection from our facilities,engaging in fraudulent activities,or knowingly disseminating false or otherwise libelous materials. Other activities that are strictly prohibited include,but are not limited to: • Accessing city information that is not within the scope of one's work.This includes unauthorized reading of customer account information, unauthorized access of personnel file information,and accessing information that is not needed for the proper execution of job functions. • Misusing,disclosing without proper authorization,or altering customer or personnel information.This includes making unauthorized changes to a personnel file or sharing electronic customer or personnel data with unauthorized personnel. • Any conduct that would constitute or encourage a criminal offense, lead to civil liability,or otherwise violate any regulations, local,state,national or international law including without limitations US export control laws and regulations. • Use,transmission,duplication,or voluntary receipt of material that infringes on the copyrights, trademarks,trade secrets,or patent rights of any person or organization.Assume that all materials on the Internet are copyright and/or patented unless specific notices state otherwise. • Transmission of any proprietary,confidential,or otherwise sensitive information without the proper controls. • Creation, posting,transmission,or voluntary receipt of any unlawful,offensive,libelous,threatening, harassing material, including but not limited to comments based on race, national origin,sex,sexual orientation,age,disability, religion,or political beliefs. • Any form of gambling. • Unauthorized downloading of any shareware programs or files for use without authorization in advance from the Information Technology department and the user's manager. • Playing of any games. • Forwarding of chain letters. Some prohibited items will automatically be prevented via the City of Batesville's cybersecurity systems. These may include but are not limited to the firewall system,the antivirus installed on each computer or laptop,the antimalware running within software(s),the network defense running within software(s),and other miscellaneous components. Internet access will be discontinued upon termination of employee,completion of vendor assignment,end of service of non-employee,or disciplinary action arising from violation of this policy. Information Technology Lost or Stolen Policy: The City of Batesville employees are legally obligated to protect any and all sensitive data. This data should be locked or secured by the responsible employee(s)at all times. If at any time you discover your Information Technology is no longer in your possession,other than intended, has become compromised,it is considered a breach of security and the City of Batesville must take steps to mitigate the harm and/or damage that could potentially result. If you are unsure what constitutes lost or stolen,contact Human Resources. The moment you,as a City of Batesville employee, realize that Information Technology has been lost or stolen,you must contact Human Resources,the Information Technology department and local police authorities. Please fill out and email the Information Technology Lost or Stolen Form provided by Human Resources. If the Information Technology was stolen,we will need at minimum, information provided from the police report and a copy of the police report if possible. If this item was lost or stolen outside of Independence County or Arkansas,you will also need to contact said law enforcement for that location as well. If this item was lost or stolen outside the country, you will need to contact Interpol or that country's local police equivalent—whoever has jurisdiction. Also see: Information Technology Data Breach Policy. Information Technology Remote Access Policy The City of Batesville Information Technology department utilizes remote access in different,secure and encrypted forms,both directly and indirectly. Direct access will be controlled by either using a Virtual Private Network(VPN)tunnel or by remote access software provided or approved by the Information Technology department. Insecure software,such as Remote Desktop Protocol(RDP),is prohibited from being used on any city computer or laptop. Indirect access will be available by means of antivirus or antimalware,for example,for means of removing any security threats. Remote access will only be granted from the Information Technology department to authorized users. Authorized users shall protect their access at all times. These users shall keep their credentials private and secure,and will not share them with anyone, including other employees or family members. Failure to keep remote access safe and secure will result in a possible data breach or worse,potential irreversible damage and destruction to the City of Batesville. Any remote access not authorized by the Information Technology department or any connections to equipment that circumvent usage of Information Technology department-provided access will be removed. This may include alternate or free versions of hosts or clients and can involve the block or ban of outside connections. Please see Information Technology Data Breach Policy and/or Information Technology Lost or Stolen Policy for further details. Information Technology Software Policy The City of Batesville allows the employees certain provisions to use and maintain software for permitted use on employee computers and laptops. This right does not extend to uses that may violate certain laws,regulations, terms and agreements,including licensing. All software must be properly licensed and any licenses must be kept or provided to the Information Technology department to be stored in case of an audit. Any third-party software not intended to be used for work purposes will need to be authorized by Information Technology department. Unless authorized by the Information Technology department,software that is prohibited from being installed or used: • Software used to compromise the security or integrity of computer networks and security controls such as hacking tools, password descramblers,network sniffers,and port scanners. • Software that elevates the authority of one user for another,for the purpose of gaining access to systems, applications,or data illegally. • Software which instructs or enables the user to bypass normal security controls. • Software which instructs or enables the user to participate in any activity considered a threat to local, state or national security,including the assistance or transfer of information leading to terrorist activity or construction or possession of illegal weapons. • Alternate software which enables an employee to circumvent data collection and online status by not using provided software Any software found in violation may be removed from an employee computer or laptop. Information Technology Surveillance Policy The purpose of the Information Technology Surveillance Policy is to provide a transparent environment between the City of Batesville, its employees,and the public. The City of Batesville maintains a camera surveillance system at each location per department or departments under the supervision of the Information Technology department. Each of the systems in place consists of IP cameras and/or NVR(Network Video Recorders)that may include CCTV security for public safety and security. This policy is in place to ensure a safe workspace for all employees and to protect any assets of the City of Batesville. Camera surveillance includes audio and/or video recording of all activities within the range of each camera. At no time will employees alter,blind,block,disrupt,reposition, unplug,or otherwise interfere with any of the cameras or camera operations at the City of Batesville. Any employee willfully interfering with any cameras at the City of Batesville will face disciplinary action. The City of Batesville maintains a vehicle tracking surveillance system per department or departments. The purpose is to monitor and record the geographical location of each city vehicle. The City of Batesville maintains defensive surveillance on all computers and laptops(See Information Technology Cyber Security Policy)